Form processor

JustJay

I need suggestions for a good script that will process forms where the form has all the data in it that it needs to process the form (I am using ONE form for multiple people/departments and so depending on the "section" the visitor is at the mailto address changes, so as such I need a script that doesn't require the mailto value to be set in the script itself - just handle what it has been sent.

I thought I had a good one in place but despite security assurances it was still being "hijacked" by spammers and blew the server load all to heck. :mad:

Thanks!

jkurrle

Let me see if I have this correct:

1) You have a form with multiple parts.
2) Each part is to be routed to a different email address, via SendMail

Is this correct?

Is the sendmail encoding loaded in the form itself? If not, please give me a general idea of what the hijackers are doing to get access to your SendMail server. Once I have an idea of what's going on, perhaps I or someone else can suggest an alternative scripting solution.

Roger_Ramjet

The reason that they can hijack your sendmail is precisly because you include the to address in the form data. Hijacking works by appending a BCC list to data on the form that you then include in your email headers - like your variable to address.

The simplest fix is just to not use any data from the form post in your email headers.

To get around that problem in your particular case, just have a var that you use in a switch structure to determine which send to address to use.

switch ($_POST['who']) {
case 1:
  $to = 'joe.blow@home.com';
  break;
case 2:
  $to = 'fred.bloggs@away.co.uk';
  break;
case 3;
  $to = 'sandy.shaw@the.beach.com';
  break;
default:
  $to = 'admin@the-end-of-his-tether.com';
}

mail($to,$headers,$body);

Other than that, you are going to have to cleanse the user data with regulkar expressions to trap any line feeds, any Bcc lists, and generally jump through hoops to stop them. Better to just NEVER use any form data in your headers.